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Abstract 

Bit commitment is a fundamental cryptographic primitive with numerous apphcations. Quan- 
tum information allows for bit commitment schemes in the information theoretic setting where 
no dishonest party can perfectly cheat. The previously best-known quantum protocol by Ambai- 
nis achieved a cheating probability of at most 3/4 AmbOl) . On the other hand, Kitaev showed 
that no quantum protocol can have cheating probability less than 1 / \/2 |Kit03| (his lower bound 
on coin flipping can be easily extended to bit commitment). Closing this gap has since been an 
important and open question. 

In this paper, we provide the optimal bound for quantum bit commitment. We first show 
a lower bound of approximately 0.739, improving Kitaev's lower bound. We then present an 
optimal quantum bit commitment protocol which has cheating probability arbitrarily close to 
0.739. More precisely, we show how to use any weak coin flipping protocol with cheating 
probability 1/2 + e in order to achieve a quantum bit commitment protocol with cheating 
probability 0.739-|-O(£). We then use the optimal quantum weak coin flipping protocol described 
by Mochon [Moc07] . To stress the fact that our protocol uses quantum effects beyond the weak 
coin flip, we show that any classical bit commitment protocol with access to perfect weak (or 
strong) coin flipping has cheating probability at least 3/4. 

1 Introduction 

Quantum information has given us the opportunity to revisit information theoretic security in 
cryptography. The first breakthrough result was a protocol of Bennett and Brassard |BB84] that 
showed how to securely distribute a secret key between two players in the presence of an omnipo- 
tent eavesdropper. Thenceforth, a long series of work has focused on which other cryptographic 
primitives are possible with the help of quantum information. Unfortunately, the subsequent re- 
sults were not positive. Mayers and Lo, Chau proved the impossibility of secure quantum bit 
commitment and oblivious transfer and consequently of any type of two-party secure computa- 
tion |May97[ ILC971 IDKSW07] . However, several weaker variants of these primitives have been 
shown to be possible |HK04l IBCH+OS] , 
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The main primitives that have been studied are coin flipping, bit commitment and obUvious 
transfer. Coin flipping is a cryptographic primitive that enables two distrustful and far apart 
parties, Alice and Bob, to create a random bit that remains unbiased even if one of the players tries 
to force a specific outcome. It was first proposed by Blum |Blu81] and has since found numerous 
applications in two-party secure computation. In the classical world, coin fiipping is possible under 
computational assumptions like the hardness of factoring or the discrete log problem. However, 
in the information theoretic setting, it is not hard to see that in any classical protocol, one of the 
players can always bias the coin to his or her desired outcome with probability 1. 

Aharonov et al. [ATVYOO] provided a quantum protocol where no dishonest player could bias the 
coin with probability higher than 0.9143. Then, Ambainis [AmbOlj described an improved protocol 
whose cheating probability was at most 3/4. Subsequently, a number of different protocols have 
been proposed (SROU INS031 IKN04j that achieved the same bound of 3/4. On the other hand, 
Kitaev [Kit03j . using a formulation of quantum coin fiipping protocols as semi-definite programs 
proved a lower bound of 1/2 on the product of the two cheating probabilities for Alice and Bob 
(for a proof see e.g. |ABDR04] ). In other words, no quantum coin fiipping protocol can achieve 
a cheating probability less than l/\/2 for both Alice and Bob. Recently, we resolved the question 
of whether 3/4 or l/\/2 is ultimately the right bound for quantum coin fiipping by constructing a 
strong coin-flipping protocol with cheating probability 1 / + e { [CK09] ) . 

The protocol in |CK09j is in fact a classical protocol that uses the primitive of weak coin flipping 
as a subroutine. In the setting of weak coin flipping, Alice and Bob have a priori a desired coin 
outcome, in other words the two values of the coin can be thought of as 'Alice wins' and 'Bob 
wins'. We are again interested in bounding the probability that a dishonest player can win this 
game. Weak coin fiipping protocols with cheating probabilities less than 3/4 were constructed 
in |SR02l IAmb02l IKN04j . Finally, a breakthrough result by Mochon resolved the question of 
the optimal quantum weak coin fiipping. First, he described a protocol with cheating probability 
2/3 |Moc04t IMocOS] and then a protocol that achieves a cheating probability of 1/2 + e for any 
e > |Moc07| . 

In other words, in coin fiipping, the power of quantum really comes from the ability to perform 
weak coin flipping. If there existed a classical weak coin fiipping protocol with arbitrarily small 
bias, then this would have implied a classical strong coin fiipping protocol with cheating probability 
arbitrarily close to 1/ \/2 as well. 

In this paper, we turn our attention to bit commitment. Even though this primitive is closely 
related to coin fiipping we will see that actually the results are surprisingly different. A bit commit- 
ment protocol consists of two phases: in the commit phase, Alice commits to a bit b; in the reveal 
phase, Alice reveals the bit to Bob. We are interested in the following two probabilities: Alice's 
cheating probability is the average probability of revealing both bits during the reveal phase, and 
Bob's cheating probability is the probability he can guess the bit b after the commit phase. 

Using the known results about coin fiipping we can give the following bounds on these probabil- 
ities. First, most of the suggested coin fiipping protocols with cheating probability 3/4 were using 
some form of imperfect bit commitment scheme. More precisely, Alice would quantumly commit 
to a bit a, Bob would announce a bit b and then Alice would reveal her bit a. The outcome of the 
coin fiip would be a (B b. Hence, we already know bit commitment protocols that achieve cheat- 
ing probability equal to 3/4. Note also that Ambainis had proved a lower bound of 3/4 for any 
protocol of this type. On the other hand, a bit commitment protocol with cheating probability p 
immediately gives a strong coin flipping protocol with the same cheating probability (by the above 
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mentioned construction) and hence Kitaev's lower bound of \l\f2 still holds. 

The question of the optimal cheating probability for bit commitment remained unresolved, 
similar to the case of coin flipping that was answered in [CK09] . Here, we find the optimal cheating 
probability for quantum bit commitment, which surprisingly is neither of the above mentioned 
constants. In fact, we show that it is approximately 0.739. 

We start by providing a lower bound for any quantum bit commitment protocol. In order to do 
so, we describe an explicit cheating strategy for Alice and Bob in any protocol. In high level, let 
IV'b) be the joint state of Alice and Bob after the commit phase and a\, Bob's density matrix, when 
Alice honestly commits to bit h. It is well known that there exists a cheating strategy for Bob that 
succeeds with probability 

p. > 1 
^ - 2 2 

where A(-, •) denotes the trace distance between two density matrices. 

For Alice, we consider the following cheating strategy. Instead of choosing a bit h in the 
beginning of the protocol, she goes into a uniform superposition of the two possible values and 
controlled on this qubit she performs honestly the commit phase. Then, after the commit phase, 
when she wants to reveal a specific bit 6, she first performs a unitary operation on her part to 
transform the joint state to one which is as close as possible to the honest state [■i/'ft) (the unitary 
is given by Uhlmann's theorem) and then performs the reveal phase honestly. 

It is not hard to see that Alice's cheating probability is at least 

Pl>^(F'(cT+,ao) + F2(a+,ai)) 

where •) denotes the fidelity between two states and oj^ = \ [oq + cti). 
In order to conclude we prove our main technical lemma 

Proposition 1 Let oq^g\ any two quantum states. Let 0"+ = ^ (fio + cxi). We have 

\ {F\a+,ao) + F\a+,a^)) > (1 - (1 - -^)A(ao, ai))^ 

By equalizing the two lower bounds that are expressed in terms of the trace distance we conclude 
that 

Theorem 1 In any quantum hit commitment protocol with cheating probabilities and we 
have max{P^,P*} > 0.739. 

Then, we provide a matching upper bound. We describe a quantum bit commitment protocol 
that achieves a cheating probability arbitrarily close to 0.739. Out protocol uses a weak coin flipping 
protocol with cheating probability 1/2 + e as a subroutine and achieves a cheating probability for 
the bit commitment of 0.739 + 0(e). 

Theorem 2 There exists a quantum bit commitment protocol that uses a weak coin flipping protocol 
with cheating probability 1/2 + e as a subroutine and achieves cheating probabilities less than 0.739 + 
0{e). 

We note that our protocol is in fact quantum even beyond the weak coin flip subroutine. This 
is in fact necessary. We show that any classical bit commitment protocol with access to a perfect 
weak coin (or even strong) cannot achieve cheating probability less than 3/4. 
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Theorem 3 Any classical bit commitment protocol with access to perfect weak (or strong) coin 
flipping cannot achieve cheating probabilities less than 3/4. 

Unlike the case of quantum strong coin flipping that is derived classically when one has access 
to a weak coin flipping protocol, the optimal quantum bit commitment takes advantage of quantum 
effects beyond the weak coin flipping subroutine. 



2 Preliminaries 



2.1 Useful facts about trace distance and fidelity of quantum states 

We start by stating a few properties of the trace distance A and fidelity F between two quantum 
states. 

Definition 1 For any two quantum states p, a, the trace distance A between them is given by 
A(p, a) = A((j, p) = ^tr{\p — a\) where \A\ = V A^A for a matrix A 

Proposition 2 For any two states p,a such that p = '^iPi\i){i\ and a = X^j we have 
A(P> ^) = ^\\Pi - = ^ {Pi - Qi) = - ^ min{pi, qi} = ^ maxfe, g^} - 1 

i i-Pi>qi i i 

Proof: Since ^^pi = ^^qi = 1, we have Ei:p,>g,(Pi -^i) = Eip,<g,(^i-Pi) and max{pi, g^} + 
m.m{pi,qi} = 2 hence 

A(P> (^) = Yl\\P'~^'\ = \\ Yl -Qi)+ Y in -Pi) \ = (Pt - Qi) 

i \i:pi>qi r-Pi<qi j i-Pi>qi 

A(P> (^) = Y\^P^ ~ *l = I Yji^^^^P^' ~ mm{pi,qi}) = 1 - X] Qi} = Y max{pi, - 1 



Proposition 3 For any two states p,a, and a POVM E = {Ei, . . . ,Em} with pi = tr{pEi) and 
qi = tr[aEi), we have A{p,a) > ^ \pi — qi\. There is a POVM (even a projective measurement) 
for which this inequality is an equality. 

Proposition 4 \Hel67^ Suppose Alice has a bit c Gr {0, 1} unknown to Bob. Alice sends a 
quantum state pc to Bob. We have 

rr[£!oo guesses c\ < - + 



2 2 

Definition 2 For any two states p, a, the fidelity F between them is given by F(p, a) = F{a, p) 



tr{\Jplap2) 



Proposition 5 For any two states p,a, and a POVM E = {Ei, . . . ,Em} with pi = tr{pEi) and 
Qi = tf{o'Ei), we have F(p,a) < Xli ^/PiQi- There is a POVM for which this inequality is an 
equality. 
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Proposition 6 (Uhlmann's theorem) For any two states p,a, there exist a purification {(p) of 
p and a purification {ip) of a such that \ = F{p,a) 

Proposition 7 For any two states p, a and a completely positive trace preserving operation Q, we 
have F{p,a) < F{Q{p),Q{a)). 

2.2 Definition of quantum bit commitment 

Definition 3 A quantum commitment scheme is an interactive protocol between Alice and Bob 
with two phases, a Commit phase and a Reveal phase. 

• In the commit phase, Alice interacts with Bob in order to commit to b. 

• In the reveal phase, Alice interacts with Bob in order to reveal b. Bob decides to accept or 
reject depending on the revealed value of b and his final state. We say that Alice successfully 
reveals b, if Bob accepts the revealed value. 

We define the following security requirements for the commitment scheme. 

• Completeness: If Alice and Bob are both honest then Alice always successfully reveals the bit 
b she committed to. 

• Binding property: For any cheating Alice and for honest Bob, we define Alice's cheating 
probability as 

P\ = - (Pr[ Alice successfully reveals 6 = 0] + Pr[ Alice successfully reveals 6=1]) 

• Hiding property: For any cheating Bob and for honest Alice, we define Bob's cheating prob- 
ability as 

P^ = Pr[ Bob guesses b after the Commit phase ] 

Remark: The definition of quantum bit commitment we use is the standard one when one stud- 
ies stand-alone cryptographic primitives. In this setting, quantum bit commitment has a clear 
relation to other fundamental primitives such as coin flipping and oblivious transfer [ATVYOOj 
lAmbOli IKit031 IMocOTl ICKSlOj . Moreover, the study of such primitives sheds light on the physi- 
cal limits of quantum mechanics and the power of entanglement. Recently there have been some 
stronger deflnitions of Quantum Bit Commitment protocols that suit better practical uses (see for 
example [DFR+07| ). Notice that using our weaker definition of quantum bit commitment only 
strengthens our lower bound which also holds for the stronger ones. 

We now describe more in detail the different steps on a quantum bit commitment protocol. We 
consider protocols where Alice reveals b at the beginning of the decommit phase. Note that this 
doesn't help Bob and can only harm a cheating Alice. Proving a lower bound for such protocols 
will hence be a lower bound for all bit commitment protocols. 

We assume here that Alice and Bob are both honest. Let A Alice's space and B Bob's space. 
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The commit phase: Alice wants to commit to a bit b. Alice and Bob communicate with each 
other and perform some quantum operations. This can be seen as a joint quantum operation which 
depends on b. We can suppose wlog that this operation is a quantum unitary (by increasing 
Alice and Bob's quantum space). At the end of the commit phase, Alice and Bob share the quantum 
state \il^b)- Let ai, = Tr^|?/^ft)(?/^6| the state that Bob has after the commit phase. 

The reveal phase: Alice wants to reveal b to Bob. Alice reveals b at the beginning of the 
decommit phase. Similarly to the commit phase, we can suppose that the decommit phase is 
equivalent to Alice and Bob performing a joint unitary on their shared state (I'i/'fe) if they were 
honest in the Commit phase). At the end, Bob performs a check to see whether Alice cheated or 
not. In the honest case. Bob always accepts. 

2.3 Definitions of Coin fiipping 

We provide the formal definitions of all the different variants of coin flipping protocols that we are 
going to use. 

In a coin flipping protocol, we call a round of communication one message from Alice to Bob 
and one message from Bob to Alice. We suppose that Alice always sends the first message and Bob 
always sends the last message. The protocol is quantum if we allow the parties to send quantum 
messages and perform quantum operations. A player is honest if he or she follows the protocol. A 
cheating player can deviate arbitrarily from the protocol but still outputs a value at the end of it. 
There are two important variants of coin flipping that have been studied. 

Strong Coin Flipping 

A strong coin flipping protocol between two parties Alice and Bob is a protocol where Alice and 
Bob interact and at the end, Alice outputs a value ca £ {0,1, Abort} and Bob outputs a value 
cb G {0,1, Abort}. If CA = cb, we say that the protocol outputs c = ca- If ca cb then the 
protocol outputs c = Abort. 

A strong coin flipping protocol with bias e (S'CF(e)) has the following properties 

• If Alice and Bob are honest then Pr [c = 0] = Pr [c = 1] = 1 /2 

• If Alice cheats and Bob is honest then = max{Pr [c = 0] , Pr [c = 1]} < 1/2 + e. 

• If Bob cheats and Alice is honest then = max{Pr [c = 0] , Pr [c = 1]} < 1/2 + e 

The probabilities and P^ are called the cheating probabilities of Alice and Bob respectively. 
The cheating probability of the protocol is defined as msLK{Pj^, -Pg}. We say that the coin flipping 
is perfect if e = 0. This is because a player that want to Abort can always declare victory rather 
than aborting without reducing the security of the protocol(see |Moc07| ) . 

Weak coin flipping 

A weak coin flipping protocol between two parties Alice and Bob is a protocol where Alice and 
Bob interact and at the end, Alice outputs a value ca G {0, 1} and Bob outputs a value cb G {0, 1}. 
If CA = Cb, we say that the protocol outputs c = ca- If ca ^ cb then the protocol outputs 
c = Abort. The difference with Strong coin flipping is that the players do not Abort. This is 
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because a player that wants to Abort can always declare victory rather than aborting without 
reducing the security of the protocol. 

A (balanced) weak coin flipping protocol with bias e (WCF{l/2, e)) has the following properties 

• If c = 0, we say that Alice wins. If c = 1, we say that Bob wins. 

• If Alice and Bob are honest then Pr [ Alice wins ] = Pr [ Bob wins ] = 1/2 

• If Alice cheats and Bob is honest then = Pr [ Alice wins ] < 1/2 + e 

• If Bob cheats and Alice is honest then = Pr [ Bob wins ] < 1/2 + e 

Similarly, and are the cheating probabilities of Alice and Bob. The cheating probability of 
the protocol is defined as max{P4,P^}. 

We can also define weak coin flipping for the case where the winning probabilities of the two 
players in the honest case are not equal. 

Unbalanced weak coin flipping 

A weak coin flipping protocol with parameter z and bias £ {WCF{z,e)) has the following prop- 
erties. 

• If c = 0, we say that Alice wins. If c = 1, we say that Bob wins. 

• If Alice and Bob arc honest then Pr [ Alice wins ] = z and Pr [ Bob wins ] = 1 — z 

• If Alice cheats and Bob is honest then = Pr [ Alice wins ] < z + e 

• If Bob cheats and Alice is honest then = Pr [ Bob wins ] < {1 — z) + e 

Reformulation of Quantum weak coin flipping protocol We reformulate here the definition 
of a quantum weak coin flipping to take into account the fact that Alice and Bob are quantum players 
that perform unitary operations during the protocol and at the end they perform a measurement 
on a quantum register in order to get their classical output. More precisely, let Oa (resp. Ob) 
be Alice's (resp. Bob's) one-qubit output register. At the end of the protocol Alice (resp. Bob) 
has a state pA in Oa ( resp. ps in Ob )• They also share some garbage state. The players get 
their output value by measuring their output qubit in the computational basis. Let pab the joint 
output state of Alice and Bob in Oa ^ Ob- In this setting, a weak coin flipping has the following 
properties. 

• The outcome corresponds to Alice winning. The 1 outcome corresponds to Bob winning. 

• If Alice and Bob are honest then (00|pab|00) = (11|/9as|11) = 1/2 

• If Alice cheats and Bob is honest then P^ = (0|/9b|0) < 1/2 + e 

• If Bob cheats and Alice is honest then P^ = (1|/9^|1) < l/2 + £ 

Notice that Alice's cheating probability depends only on Bob's output. This is because a 
cheating Alice will always claim that she won, so she wins when Bob outputs 'Alice wins'. We have 
the same behavior for a cheating Bob. 

Similarly, we can define an unbalanced weak coin flipping in this setting. 
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• The outcome corresponds to Alice winning. The 1 outcome corresponds to Bob winning. 

• If Ahce and Bob are honest then (00|/9a_b|00) = z ; (11|p^b|11) = \ — z 

• If Ahce cheats and Bob is honest then P\ = (0|p_b|0) < z + e 

• If Bob cheats and Ahce is honest then Pg = {\\pa\^) < (1 — ^) + e 
We will use the following result by Mochon. 

Proposition 8 [Moc07j For every e > 0, there exists a quantum WCF{l/2^£) protocol P. 

Note also that this construction can be extended to the unbalanced case. A procedure to 
use balanced WCF protocols to unbalanced ones has been presented in |CK09] . This procedure 
was presented in the classical setting but can be easily extended to the quantum definitions of 
unbalanced weak coin. 

Proposition 9 (CK09) Let P he a WCF{l/2,e) protocol with N rounds. Then, Vz € [0,1] and 
\/k € N, there exists a WCF(x, Eq) protocol Q such that: 

• Q uses k ■ N rounds. 

• \x — z\ < . 

• £0 < 2e. 

3 Proof of the Lower Bound 

To prove the lower bound, we will show some generic cheating strategies for Alice and Bob that 
work for any kind of bit commitment scheme. We will then show that these cheating strategies give 
a cheating probability of approximately 0.739 for any protocol. 

3.1 Description of cheating strategies 

We denote by l-i/^f,) the quantum state Alice and Bob share at the end of the commit phase. Let 
o"b = Tr_4|'0f,)('0f,| the state that Bob has after the commit phase when Alice honestly commits to 
bit h. 

3.1.1 Bob's cheating strategy 

The cheating strategy of Bob is the following: 

• Perform the Commit phase honestly. 

• Guess b by performing on the state at the end of the commit phase the optimal discriminating 
measurement between gq and ai. 

First note that an all-powerful Bob can always perform this strategy, since he knows the honest 
states (To and cti and can hence compute and perform the optimal measurement. Let us analyze 
this strategy. We know |Hel67| that Bob can guess b with probability ^ + ^(""o.g'i) g^,^^ hence 

1 A(ao,ai) 
^ - 2 2 
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3.1.2 Alice's cheating strategy 

The cheating strategy of Ahce is the fohowing 

• Perform a quantum strategy so that at the end of the commit phase, Bob has the state 
CT+ = i (fjo + ai). 

• In order to reveal a specific value b, send b then apply a local quantum operation such that 
the actual joint state of the protocol, \(j)b), satisfies K^felV'b)! = F{a+,ab)- Perform the rest of 
the reveal phase honestly. 

First note that an all-powerful Alice can perform this strategy. An honest Alice has a strategy 
to make Bob's state after the commit phase equal to ah for both 6 = and 6 = 1. A cheating Alice 
creates a qubit -^(lO) + Conditioned on (resp. 1), she applies the strategy that will give 
Bob the state ctq (resp. cJi). By doing this Bob's state at the end of the commit phase is exactly 
0"+. Moreover, by Uhlmann's theorem, Alice can compute and perform the local unitary in the 
beginning of the reveal phase to create a state \<j)b) that satisfies |(</>f,|'0b)| = F{a+,ab). 

For the analysis, since Bob accepts b with probability 1 when the joint state of the protocol 
is iV'b), he accepts with probability at least |(</>b|V'fe)P = -^^C'^+j'^fe) when the joint state of the 
protocol is \(j)b)- From this cheating strategy, we have that 

3.2 Showing the Lower Bound 

We have the following bounds for cheating Alice and cheating Bob. 

PX>l{F\a+,ao) + F\a+,a,)) 
p* ^ 1 A(c^o,o-i) 



2 2 

We now use the following inequality that will be proved in the next section 
Proposition 10 Let ao, ai any two quantum states. Let 0"+ = ^ (do + ai). We have 

^{F^{a+,ao) + F'{a+,ai)) > (^1 - (1 - -L)A(ao, ai)) • 
Let t = A((7o,(Ti). From the above Proposition, we have the following bounds. 

PX>^{F\a^,ao) + F\a^,a,)) > (^1 - (1 - -L)^^ 

> 1 A(ao,ai) ^ 1 + t 
^ - 2 2 2 

We get the optimal cheating probability by equalizing these two bounds, ie. 



1 , \^ l + t 



Notice that the same cheating probabilities appeared in the analysis of a weak coin flipping protocol 
in |KN04] . Solving the equation gives t ~ 0.4785 and hence we have 
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Theorem 1 In any quantum bit commitment protocol with cheating probabilities and we 
have max{P^,P^} > 0.739. 

3.3 Proof of the fidelity Lemma 

In this Section, we show Proposition llOi 

Proof of Proposition llOt We wih prove this Lemma in three steps. Let aQ,ai two quantmn 
states and let cr_(_ = ^ (cto + cti). 

Step 1 We first consider the states po = ^\0){0\ <^ ctq + cri and p+ = ^\0){0\ (g) (T+ + 

^|1)(1| (8> o'+. We compute the trace distance and fidefity of these states 

A(po,P+) = ^(A(ao,a+) + A(ai,c7+)) = ^A{ao,ai) (1) 

In order to calculate the fidelity we note first that p| = ^ (^|0)(0| cr^ + |1)(1| . From the 
definition of fidelity we have 



F{po,P+) = tr \J pIpop'^ 



1 i_ 



tr \ a/^|0)(0| 4^o4 + ^ 



= ^{F{ao,a+) + Fiai,a+)) 
Hence, by Cauchy-Schwartz we conclude that 

F\po,p+) < ^F2(ao,a+) + ^^^(^1,(7+) (2) 

Step 2 Consider the POVM E = {Ei, . . . , Em} with pi = tr^poEi) and Qi = tr{pj^Ei) such that 
F{po,p+) = Y^i^/Wli (Prop. E]). We consider the states Dq = Y^iVi\"^)'\A and D+ = I]j 
For the trace distance and fidelity of these states, we have 



A(Z)o,Z?+) = ^5Zl^^*-9*l ^^('^0"^+) = ^^(^0'^i) by Prop. El [3] and Eq.E] (3) 

i 

F{Do,D+) = F{pQ,p+) = Y,^i (4) 
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Step 3 Let us define k such that k/2 = A(Dq, D^). We now consider the states Tq = k\0){0\ + 
(1 - A;)|2)(2| and T+ = ||0)(0| + ||1)(1| + (1 - A;)|2)(2|. We calculate the trace distance and fidelity 
of these states 

AiTM='- = AiD„D^)<^^ (5) 

F(To,r+)= + > (^l-(l--L)A(ao,ai)) (6) 

The only thing remaining is to show that F{Tq,T^) < F(Dq, D^). To prove this, we construct a 
completely positive trace preserving operation Q such that Q{Tq) = Dq and Q{T^) = D^. We can 
then conclude using Proposition [71 

We define Di = with pi + Vi = 2qi. This means that = ^Dq + ^Di and 

A{Do,D,) = k. 

Let A = {i : Pi > ri} and B = {i : pi < ri} . Let Wi = mm{pi,ri} We consider the following Q 

Q{\i){i\) = Y.l(''^-P^)\')('\ 

ieB 

Q{\2){2\) = Y,Y^w.\i){^\ 

i 

Q{\i){j\)=Q fori/i 

Since A(L'o, -Di) = k, we have in particular that YliWi = l-k ] Yji<^AiPi ~ '^i) = Yji^^si'^i ~Pi) = ^ 
(see Proposition [2]) . Q is hence a completely positive trace preserving operation. We now have: 

Q(ro) = fcJ]i(pi-r,)K)(i| + 

i&A i 

= ^{Pi-ri)\i){i\ + ^Wi\i){i\ 

i&A i 

= ^iPi -ri + ri)\i){i\ + ^Pi\i){i\ 
ieA ieB 

= '^Pi\i){i\ = Do 

i 

Similarly, we have 

Q(r+) = ^ ^ - ri)\i){i\ +^Y1 - P'^\'^('\ + {l-k)Y^ 

ieA ieB i 

ieA ieB i 

= E(^^ + + E(p^ + 

ieA ieB 

= ^Qi\i){^\ = D+ 
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From this, we conclude that 

Fpo, D+) = F{Q{To), Q{T+)) > F{To,T+). 
Putting everything together, we have using equations (2), (4), (6), (7) 

^ {F\ao,a+) + F\ai,a+)) > F\po,p+) = F\D^,D+) > F\T^,T+) > (l - {I 



4 Proof of the Upper Bound 

In this section we describe and analyze a protocol that proves the optimality of our bound. 

Theorem 2 There exists a quantum hit commitment protocol that uses a weak coin flipping protocol 
with cheating probability 1/2 + e as a subroutine and achieves cheating probabilities less than 0.739 + 
0{e). 

Our protocol is a quantum improvement of the following simple protocol that achieves cheating 
probability 3/4. Alice commits to bit h by preparing the state l/^/2{\hh) + |22)) and sending the 
second qutrit to Bob. In the reveal phase, she sends the first qutrit and Bob checks that the pure 
state is the correct one. It is not hard to prove that both Alice and Bob can cheat with probability 
3/4 |Amb01tlKN04) . The main idea in order to reduce the cheating probabilities for both players is 
the following: first we increase a little bit the amplitude of the state |22) in this superposition. This 
decreases the cheating probability of Bob. However, now Alice can cheat even more. To remedy 
this, we use the quantum procedure of a weak coin flipping so that Alice and Bob jointly create 
the above initial state (with the appropriate amplitudes) instead of having Alice create it herself. 
We present now the details of the protocol. 

4.1 The protocol 

Commit phase, Step 1 Alice and Bob perform an unbalanced weak coin flipping procedure 
(without measuring the final outcome), where Alice wins with probability 1 — p and Bob with 
probability p. As we said, we can think of this procedure as a big unitary operation that creates a 
joint pure state in the space of Alice and Bob. Moreover, Alice and Bob have each a special 1-qubit 
register that they can measure at the end of the protocol in order to read the outcome of the weak 
coin flipping. Here, we assume that they don't measure anything and that at the end Alice sends 
back to Bob all her garbage qubits. In other words, in the honest case, Alice and Bob share the 
following state at the end of the weak coin protocol 

l^^> = Vp\L)a » \L, Gl)b + Vi^\W)a ® \W, Gw)b 

where W corresponds to the outcome "Alice wins" and L corresponds to the outcome "Alice 
loses". The spaces A,B correspond to Alice's and Bob's private quantum space. The garbage 
states \Gw)-, \Gl) are known to both players. 



(7) 



V2 



)A(cro,cri; 
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Commit phase, Step 2 After the end of the weak coin flipping procedure, Alice does the 
following. Conditioned on her qubit being W, she creates two qutrits in the state |22) and sends 
the second to Bob. Conditioned on her qubit being L, she creates two qutrits in the state \bb) 
where b is the bit she wants to commit to and sends the second to Bob. If the players are both 
honest, they share the following state: 

\nb) = Vp\L, b)A ® \L, 6, Gl)b + VT^\W, 2) A » \W, 2, Gw)b 

Reveal phase In the reveal phase, Alice sends b and all her remaining qubits in space A to Bob. 
Bob checks that he has the state \ilb)- 

4.2 Analysis 

If Alice and Bob are both honest then Alice always successfully reveals the bit b she committed to. 

Cheating Bob Bob is not necessarily honest in the weak coin flipping protocol, however the 
weak coin flipping has small bias e. Since Alice is honest. Bob has all the qubits expect the one 
qubit which is in Alice's output register. At the end of the first step of the Commit phase, Alice 
and Bob share a state 

\n*) = y9\L)A\^L)B + V^-p'\W)a\^w)b 

for some states l^'vy) held by Bob. Recall that the outcome L in Alice's output register 

corresponds to the outcome where Alice loses the weak coin flipping protocol. Hence, for any 
cheating Bob, since our coin flipping has bias e, we have p' < p + e. At the end of the commit 
phase, depending on Alice's committed bit 6, the joint state is 

= Vp'IL, b)A\b, ^l)b + V^-P'\W, 2)a\2, ^w)b 

and Bob's density matrix is 

al = p'\b, ^L){b, ^l\ + {l-p')\2, ^w){2, ^w\. 
By Proposition m we have 

= Pr[ Bob guesses 61 < i + ^MiiSl = 1 4 < l±i: + I 

Cheating Alice Let a^, be Bob's reduced state at the end of the commit phase when both players 
are honest. Let \x) = \L,x,Gl) for x G {0, 1} and |2) = \ W,2,Gw)- We have 

a, = p\b){b\ + {l-p)\2){2\ 

Let ^ be Bob's state at the end of the commit phase for a cheating Alice. Let = for 
i G {0, 1,2}. From the characterization of the fidelity in Proposition [71 we have that 

F{^, cTfe) < ^/pn + a/(1 -P)r2 
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Prom standard analysis of bit commitment protocol (for example [KN04| ), we have using Uhlmann's 
Theorem that 



PX<l{F\^,ao) + F\tcTi)) 
1 



< 2 [Vp^ + -p)r2j + 2 [Vwi + V (1 -P)r2 

In order to get a tight bound for the above expression, we use here the property of the weak coin 
flipping. Recall that |2) = 2, Gw) has its first register as W (this corresponds to Alice winning 
the coin flip). On the other hand, |0) and |1) have L as their first register, corresponding to the case 
where Bob wins. For any cheating Alice, she can win the weak coin flip with probability smaller 
than 1 — p + e and hence this means in particular that r2 < 1 — p + e. Moreover, rg + ri + r2 < 1. 
For e < p{l — 2^^) > can show that this quantity is maximal when r2 is maximal and vq = ri = 
[p — e)/2 (proven in Appendix [X]) . This gives us 

o 

2 




+ V(l-p)(l-P + e)j <(l-(l--^)p) +0{e 



Putting it all together Except for the terms in e, we obtain exactly the same quantities as in 
our lower bound. By equalizing these cheating probabilities, we have 

max{Pl, P%] w 0.739 + 0(e) 

Since we can have e arbitrarily close to (Proposition [8|) and we can have an unbalanced weak 
coin flipping protocol with probability arbitrarily close to p (Proposition [9]), we conclude that our 
protocol is arbitrarily close to optimal. 



5 Proof of the classical lower bound 

In this Section, we show a 3/4 lower bound for classical bit commitment schemes when players 
additionally have the power to perform perfect (strong or weak) coin-flipping. This will show that 
unlike strong coin flipping, quantum and classical bit commitment are not alike in the presence of 
weak coin flipping. 

We first describe such protocols in Section [5Tl In Section [5^ we construct a cheating strategy 
for Alice and Bob for these protocols such that one of the players can cheat with probability at 
least 3/4. 



5.1 Description of a classical bit commitment protocol with perfect coin flips 

We describe classical bit commitment schemes when players additionally have the power to perform 
perfect (strong or weak) coin-flipping. The way we deal with the coin is the following: when Alice 
and Bob are honest, they always output the same random value c and both players know this value. 
We can suppose equivalently that a random coin c is given publicly to both Alice and Bob each 
time they perform coin flipping. We describe any BC protocol with coins as follows: 

• Alice and Bob have some private randomness Ra and Rb respectively. 
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• Commit phase: Alice wants to commit to some value x. Let N the number of rounds of the 
commit phase. For i = 1 to A^: Alice sends a message Oj, Bob sends a message bi, Alice and 
Bob flip a coin and get a public Cj {0, 1}. 

• Reveal phase: Alice wants to decommit to some value y (= x if Alice is honest). 

1. Alice first reveals y. This is a restriction for the protocol but showing a lower bound for 
such protocols will show a lower bound for all protocols since this can only limit Alice's 
cheating possibilities without helping Bob. 

2. Let M the number of rounds of the reveal phase. For i = 1 to M: Alice sends a message 
a^, Bob sends a message 6^, Alice and Bob flip a coin and get a public {0, 1}. 

3. Bob has an accepting procedure Acc to decide whether he accepts the revealed bit or 
whether he aborts (if Bob catches Alice cheating) . 

We denote the commit phase transcript by tc = (ai, 6i, Ci, . . . , ajv, bN, cn)- If Alice and Bob 
are honest, then we can write tc = Tc{Ra, Rb,c,x) where Tq is a function fixed by the protocol 
that takes as input Alice and Bob's private coins Ra_,Rb, the outcomes of the public coin flips 
c = (ci,...,Civ) as well as the bit x Alice wants to commit to and outputs a commit phase 
transcript tc- If we can write tc = Tc{Ra, Rb,c,x) for some Ra, Rb,c,x, we say that tc is an 
honest commit phase transcript. 

Similarly, we deflne the decommit phase transcript hy t^ = {a'^, b'^,c'^, . . . , a'j^, b'j^^, c'^). If Alice 
and Bob are honest, we can write to = Tj:i{Ra, Rb,c' ,y,tc), where To is a function fixed by the 
protocol that takes as input Alice and Bob's private coins Ra, Rb, the outcomes of the public coin 
flips c' = (c'l, . . . , c'j^), the bit y Alice reveals as well as the commit phase transcript tc and outputs 
a reveal phase transcript t^- If we can write t^ = T£){Ra, Rb, c' , y, tc) for some Ra, Rb, c' ,y and 
some honest commit phase transcript tc, we say that is an honest reveal phase transcript. 

Whether Bob accepts at the end of the protocol depends on both transcripts tctn of the 
commit and reveal phase, the bit y Alice reveals as well as Bob's private coins. We write that 
Acc{tc,tD,y,RB) = 1 when Bob accepts. 

Note that in the honest case. Bob always accepts Alice's deommitment. This means that we 
can transform Alice's honest strategy in the reveal phase to a deterministic strategy which will also 
be always accepted. This fact will be useful in the proof. 

5.2 Proof of the classical lower bound 

In this Section, we construct cheating strategies for Alice and Bob such that one of the players 
will be able to cheat with probability greater than 3/4. We only consider cheating strategies where 
Alice and Bob are honest during the coin flips so again, they will be modeled as public and perfectly 
random coins. Moreover, Alice and Bob will always be honest during the commit phase. 

Before describing the cheating strategies we need some definitions. More particularly, we con- 
sider a cheating Alice who cheats during the reveal phase by following a deterministic strategy A* . 
For a fixed honest commit phase transcript tc, we can write the transcript of the reveal phase as 
a function of A*,Rb, c' , y, tc, more precisely T^{A*,Rb,(^, y, tc)- 

Definition 4 We say that Rb is consistent with tc if and only if there exist Ra,c,x such that 
tc = Tc{Ra,Rb,c,x)- 
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Definition 5 Let tc an honest commit phase transcript. We say that tc € Ay if and only if 
^A* s.t. Vc' and\/RB consistent with tc,Acc(tc,T^iA* , Rb,c' ,y,tc),y, Rb) = ^ 

Intuitively, tc G Ay means that if Alice and Bob output an honest commit phase transcript tc, 
there is a deterministic strategy A* for Alice that allows her to reveal y without Bob aborting, 
independently of Bob's private coins Rb- Since there is always a deterministic honest strategy for 
Alice in the reveal phase (when Alice and bob have been honest in the commit phase), we have 

\/ Ra,Rb,c,x tc = Tc{Ra,Rb,c,x) e A^ 

Notice also that for any honest commit phase transcript tc, both players Alice and Bob can compute 
whether tc G A^ for both u = and u = 1. 

Definition 6 We define the probability 

Pu = Prftc = Tc{Ra, Rb,c,u) G Au] where the probability is taken over uniform Ra, Rb,c. 

Consider that Bob is honest, is the probability that if Alice behaves honestly in the commit 
phase and commits to u, she has a deterministic cheating strategy to reveal u which always succeeds 
(independently of c!,Rb). 

We can now describe and analyze our cheating strategies for Alice and Bob and prove our theorem 



Theorem 3 For any classical bit commitment protocol with access to public perfect coins, one of 
the players can cheat with probability at least 3/4. 

Proof: Let us fix a bit commitment protocol. We describe cheating strategies for Alice and Bob. 
Cheating Alice 

• Commit phase: Alice picks x €r {0, 1} and she honestly commits to x during the commit 
phase. 

• Reveal phase: if Alice wants to reveal x, she just remains honest during the reveal phase. 
By completeness of the protocol, this strategy succeeds with probability 1. If Alice wants to 
reveal x, we know by definition of Px that she succeeds with probability at least Px- This 
gives us: 

2 + y 

since Alice chooses x at random, we have: 

p* 1 Po+Pi 
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Cheating Bob As Alice, Bob is honest in the commit phase. Let x the bit Ahee committed to. 
Since Ahce and Bob arc honest the commit-phase transcript is tc = Tq^Rai Rb,c, x) for uniformly 
random Ra, Rb,c. As said before, we know that tc & ^x- 

At the end of the commit phase, Bob wants to guess the bit x Alice commits to and he performs 
the following strategy: if tc & AqCi Ai he guesses x at random. If 3! u s.t. tc ^ Au he guesses 
X = u. 

We know that Bob succeeds in cheating with probability 1/2 if G A-^ and with probability 1 
if tc ^ Ax- This gives us > Px ■ + {1 — Px) ■ ^ = ^ — Since again, Alice's bit x is uniformly 
random, we have 

p. _P0+P1 
B - 4 

Putting it all together Taking Alice and Bob cheating probabilities together, we have 
P| + > 3/2 which gives max{P|, P^} > 3/4. 
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A Proof of ro = ri and r2 maximal in the quantum lower bound 

In this Section, we show the following: 
Proposition 11 Let 

with the constraints: ro,ri,r2 > 0, tq + ri + r2 < 1 and r2 < I — p + e for e < p{l — ot^)- This 



cheating probability is maximized for ro = ri = "^-J- and r2 = 1 — p + e. 



2-pJ 

__1 nnnrl — 1 — Ti -i_ cr 



Proof: First note that the maximal cheating probability is achieved for ro + ri + r2 = 1 since 
this cheating probability is increasing in tq , ri , r2 . 

We first show that ro = r\. Let's fix r2. This means that 5* = ro + ri = 1 — r2 is fixed. Let 
u = a/(1 — p)r2- We have 

PI < /M = I iVP^ + uf + \ yp{S-ro) + u)\ 
Taking the derivative, we have 

I ( ^ I , . _ I 



/'(ro) = ^ 2VP-— (Vp^ + u)- 2^ Up{S-ro) + 

^ \ W^o 2-^(5 -ro) 



2 V Vp 

u^/p (I I 

n) V5 - ro 



We have /'(ro) > for ro < S/2 ; /'(ro) = for ro = S/2 ; /'(ro) < for ro > S/2. This means 
that the maximum of / is achieved for ro = 5'/2 i.e. ro = ri. 

We now show that r2 = \ — p + e gives the maximal cheating probability if e is not too big. 
Since is maximal for ro = ri and for ro + ri + r2 = I, we have 

^*A- \ [Vwo + \/(l -p)r2^ + ^ [y/mi + V (1 -P)?'2) 

< (vpn) + V (1 -p)r2)'^ 

Again, we take the derivative of g. 
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Prom this, we have 



2(1 - rs) - V ^2 
<S^pr-2 < 2(1 - r2)(l -p) 



r2 < 1 - 



For £ < p(l — 2~^); we have 1— p + e<l — so when e < p(l — 53^)) ^(^2) is always increasing 
when r2 < 1 — p + £ and is maximal when r2 = 1 — p + £, which concludes the proof. ■ 
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